Terraform-aws-eks: Include autoscaling related IAM policies for workers for the cluster-autoscaler

Created on 31 Jul 2018  路  4Comments  路  Source: terraform-aws-modules/terraform-aws-eks

Currently we have to add the policy outside this module but I think 90% of people will use the cluster-autoscaler so it would be cool to have it included in this module and perhaps enabled with a variable.
kops currently has this by default here.

The policy would look something like this:

data "aws_iam_policy_document" "eks_node_autoscaling" {
  statement {
    sid    = "eksDemoNodeAll"
    effect = "Allow"

    actions = [
      "autoscaling:DescribeAutoScalingGroups",
      "autoscaling:DescribeAutoScalingInstances",
      "autoscaling:DescribeLaunchConfigurations",
      "autoscaling:DescribeTags",
      "autoscaling:GetAsgForInstance",
    ]

    resources = ["*"]
  }

  statement {
    sid    = "eksDemoNodeOwn"
    effect = "Allow"

    actions = [
      "autoscaling:SetDesiredCapacity",
      "autoscaling:TerminateInstanceInAutoScalingGroup",
      "autoscaling:UpdateAutoScalingGroup",
    ]

    resources = ["*"]

    condition {
      test     = "StringEquals"
      variable = "autoscaling:ResourceTag/Name"
      values   = ["xxxx-eks_asg"]
    }
  }
}

This allows would allow the cluster-autoscaler the access it needs to run correctly.

What do you think?

picture max-rocket-internet
👍3

Most helpful comment

I seem to be running into this issue. Do I need to explicitly add the terraform data "aws_iam_policy_document" "eks_node_autoscaling" ...?

Currently running into the autoscaling failing with:

Failed to create AWS Manager: cannot autodiscover ASGs: AccessDenied: User: arn:aws:sts::759449713008:assumed-role/terraform-eks-demo-node/i-00882555d2d233b8e is not authorized to perform: autoscaling:DescribeTags
picture chrissound on 20 Sep 2019
👍2

All 4 comments

Hello again @max-rocket-internet 馃憢

Yep, I'm onboard with this as the cluster-autoscaler seems like potentially one of the most used component service (rivaling dashboard). This feels like a step in making the obvious easy.

brandonjbjelland picture brandonjbjelland on 9 Aug 2018

Cool. I'll make a PR.

max-rocket-internet picture max-rocket-internet on 9 Aug 2018
👍1

Sorted in this PR https://github.com/terraform-aws-modules/terraform-aws-eks/pull/93

max-rocket-internet picture max-rocket-internet on 4 Sep 2018

I seem to be running into this issue. Do I need to explicitly add the terraform data "aws_iam_policy_document" "eks_node_autoscaling" ...?

Currently running into the autoscaling failing with:

Failed to create AWS Manager: cannot autodiscover ASGs: AccessDenied: User: arn:aws:sts::759449713008:assumed-role/terraform-eks-demo-node/i-00882555d2d233b8e is not authorized to perform: autoscaling:DescribeTags
chrissound picture chrissound on 20 Sep 2019
👍2
Was this page helpful?
0 / 5 - 0 ratings

Related issues

max-rocket-internet picture max-rocket-internet  路  3Comments
discordianfish picture discordianfish  路  3Comments
tonyxiao picture tonyxiao  路  3Comments
einyx picture einyx  路  4Comments
kobemtl picture kobemtl  路  4Comments